What happened in the Reproducible Builds effort between Sunday November 6 and Saturday November 12 2016:

Media coverage

Matthew Garrett blogged about Tor, TPMs and service integrity attestation and how reproducible builds are the base for systems integrity.

The Linux Foundation announced renewed funding for us as part of the Core Infrastructure Initiative. Thank you!

Outreachy updates

Maria Glukhova has been accepted into the Outreachy winter internship and will work with us the Debian reproducible builds team.

To quote her words

siamezzze: I've been accepted to #outreachy winter internship - going to
work with Debian reproducible builds team. So excited about that! <3
Debian

Toolchain development and fixes

dpkg:

  • Thanks to a series of dpkg uploads by Guillem Jover, all our toolchain changes are now finally available in sid!
  • This means your packages should now be reproducible without having to use our custom APT repository.
  • Ximin Luo opened #843925 to remind the fact that dpkg-buildpackage should sign buildinfo files.
  • We hope to have detailed post about the new dpkg and the new .buildinfo files for debian-devel-announce soon!

debrebuild:

  • srebuild / debrebuild work was resumed by Johannes Schauer and others in #774415.

Bugs filed

Chris Lamb:

Daniel Shahaf:

Niko Tyni:

Reiner Herrman:

Reviews of unreproducible packages

136 package reviews have been added, 5 have been updated and 7 have been removed in this week, adding to our knowledge about identified issues.

3 issue types have been updated:

Weekly QA work

During of reproducibility testing, some FTBFS bugs have been detected and reported by:

  • Chris Lamb (29)
  • Niko Tyni (1)

diffoscope development

A new version of diffoscope 62~bpo8+1 was uploaded to jessie-backports by Mattia Rizzolo.

Meanwhile in git, Ximin Luo greatly improved speed by fixing a O(n2) lookup which was causing diffs of large packages such as GCC and glibc to take many more hours than was necessary. When this commit is released, we should hopefully see full diffs for such packages again. Currently we have 197 source packages which - when built - diffoscope fails to analyse.

buildinfo.debian.net development

  • Submissions with duplicate Installed-Build-Depends entries are rejected now that a bug in dpkg causing them has been fixed. Thanks to Guillem Jover.
  • Add a new page for every (source, version) combination, for example diffoscope 62.
  • DigitalOcean have generously offered to sponsor the hardware buildinfo.debian.net is running on.

tests.reproducible-builds.org

Debian:

  • For privacy reasons, the new dpkg-genbuildinfo includes Build-Path only if it is under /build. HW42 updated our jobs so this is the case for our builds too, so you can see the build path in the .buildinfo files.
  • HW42 also updated our jobs to vary the basename of the source extraction directory. This detects packages that incorrectly assume a $pkg-$version directory naming scheme (which is what dpkg-source -x gives but is not mandated by Debian nor always-true) or that they're being built from a SCM.
  • The new dpkg-genbuildinfo also records a sanitised Environment. This is different in our builds, so HW42, Reiner and Holger updated our jobs to hide these differences from diffoscope output.
  • Package-set improvements:
  • Valerie Young contributed four patches for our long-planned transition from SQLite to PostgreSQL.
  • In anticipation of the freeze, already-tested packages from unstable and testing on amd64 are now scheduled with equal priority.

reproducible-builds.org website

F-Droid was finally added to our list of partner projects. (This was an oversight and they had already been working with us for some time.)

Misc.

This week's edition was written by Ximin Luo and Holger Levsen and reviewed by a bunch of Reproducible Builds folks on IRC.